@@ -4,16 +4,29 @@ We assume installation inside Docker (probably not the right tool for most use-c
44
55## ` FROM debian `
66
7+ [ Debian 9 ("Debian Stretch") or newer] ( https://packages.debian.org/gosu ) :
8+
9+ ``` dockerfile
10+ RUN set -eux; \
11+ apt-get update; \
12+ apt-get install -y gosu; \
13+ rm -rf /var/lib/apt/lists/*; \
14+ # verify that the binary works
15+ gosu nobody true
16+ ```
17+
18+ Older Debian releases (or newer ` gosu ` releases):
19+
720``` dockerfile
821ENV GOSU_VERSION 1.10
9- RUN set -ex; \
10- \
11- fetchDeps=' \
12- ca-certificates \
13- wget \
14- ' ; \
22+ RUN set -eux; \
23+ # save list of currently installed packages for later so we can clean up
24+ savedAptMark="$(apt-mark showmanual)" ; \
1525 apt-get update; \
16- apt-get install -y --no-install-recommends $fetchDeps; \
26+ apt-get install -y --no-install-recommends ca-certificates wget; \
27+ if ! command -v gpg; then \
28+ apt-get install -y --no-install-recommends gnupg2 dirmngr; \
29+ fi; \
1730 rm -rf /var/lib/apt/lists/*; \
1831 \
1932 dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" ; \
@@ -22,27 +35,33 @@ RUN set -ex; \
2235 \
2336# verify the signature
2437 export GNUPGHOME="$(mktemp -d)" ; \
38+ # for flaky keyservers, consider https://github.com/tianon/pgp-happy-eyeballs, ala https://github.com/docker-library/php/pull/666
2539 gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
2640 gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
27- rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc; \
41+ command -v gpgconf && gpgconf --kill all || :; \
42+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
43+ \
44+ # clean up fetch dependencies
45+ apt-mark auto '.*' > /dev/null; \
46+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \
47+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
2848 \
2949 chmod +x /usr/local/bin/gosu; \
3050# verify that the binary works
31- gosu nobody true; \
32- \
33- apt-get purge -y --auto-remove $fetchDeps
51+ gosu nobody true
3452```
3553
36- ## ` FROM alpine ` (3.3+)
54+ ## ` FROM alpine ` (3.7+)
55+
56+ ** Note:** when using Alpine, it's probably also worth checking out [ ` su-exec ` ] ( https://github.com/ncopa/su-exec ) (` apk add --no-cache su-exec ` ) instead, which since version 0.2 is fully ` gosu ` -compatible in a fraction of the file size.
3757
3858``` dockerfile
3959ENV GOSU_VERSION 1.10
40- RUN set -ex ; \
60+ RUN set -eux ; \
4161 \
4262 apk add --no-cache --virtual .gosu-deps \
4363 dpkg \
4464 gnupg \
45- openssl \
4665 ; \
4766 \
4867 dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" ; \
@@ -51,42 +70,16 @@ RUN set -ex; \
5170 \
5271# verify the signature
5372 export GNUPGHOME="$(mktemp -d)" ; \
73+ # for flaky keyservers, consider https://github.com/tianon/pgp-happy-eyeballs, ala https://github.com/docker-library/php/pull/666
5474 gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
5575 gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
56- rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc; \
57- \
58- chmod +x /usr/local/bin/gosu; \
59- # verify that the binary works
60- gosu nobody true; \
76+ command -v gpgconf && gpgconf --kill all || :; \
77+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
6178 \
62- apk del .gosu-deps
63- ```
64-
65- When using Alpine, it's probably also worth checking out [ ` su-exec ` ] ( https://github.com/ncopa/su-exec ) (` apk add --no-cache su-exec ` ), which since version 0.2 is fully ` gosu ` -compatible in a fraction of the file size.
66-
67- ## ` FROM centos `
68-
69- ``` dockerfile
70- ENV GOSU_VERSION 1.10
71- RUN set -ex; \
79+ # clean up fetch dependencies
80+ apk del --no-network .gosu-deps; \
7281 \
73- yum -y install epel-release; \
74- yum -y install wget dpkg; \
75- \
76- dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" ; \
77- wget -O /usr/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" ; \
78- wget -O /tmp/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc" ; \
79- \
80- # verify the signature
81- export GNUPGHOME="$(mktemp -d)" ; \
82- gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
83- gpg --batch --verify /tmp/gosu.asc /usr/bin/gosu; \
84- rm -r "$GNUPGHOME" /tmp/gosu.asc; \
85- \
86- chmod +x /usr/bin/gosu; \
82+ chmod +x /usr/local/bin/gosu; \
8783# verify that the binary works
88- gosu nobody true; \
89- \
90- yum -y remove wget dpkg; \
91- yum clean all
84+ gosu nobody true
9285```
0 commit comments